feat(docker): harden backend and frontend images with non-root user and Trivy CVE scanning

[Aditi-24-05]

Description

Hardens the Docker setup for both backend and frontend containers as outlined in issue #245.

Changes include running containers as non-root users, pinning base images to specific versions, patching a critical OpenSSL CVE (CVE-2026-31789), adding a GitHub Actions workflow for automated Trivy vulnerability scanning, and documenting a base image update policy.

Also fixes two pre-existing bugs discovered during testing:

• CMD pointed to secuscan.api which does not exist, corrected to secuscan.main
• COPY plugins in the backend Dockerfile referenced a path outside the build context, removed since plugins are injected via volume mount at runtime

Related Issues

Closes #245

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Documentation update

How Has This Been Tested?

Integration tests: new pytest suite covering all hardening requirements:
All tests passed:

• TestNonRootUser- backend runs as secuscan (UID 1001), frontend as nginx (UID 101)
• TestSUIDFiles - no unexpected SUID/SGID binaries in either image
• TestDockerfileStructure - USER instruction, pinned base, HEALTHCHECK, apt cleanup all verified
• TestTrivyCVEGate - zero unfixed CRITICAL CVEs in both images after patching OpenSSL

Manual smoke tests:

docker run --rm secuscan-backend:test id
# uid=1001(secuscan) gid=1001(secuscan)

docker run --rm secuscan-frontend:test id  
# uid=101(nginx) gid=101(nginx)

trivy image --severity CRITICAL --ignore-unfixed secuscan-backend:test
trivy image --severity CRITICAL --ignore-unfixed secuscan-frontend:test
# 0 vulnerabilities found in both

Full stack:

docker compose up --build
# GET /api/v1/health HTTP/1.1" 200 OK healthcheck passing

Checklist

• My code follows the code style of this project.
• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas.
• I have made corresponding changes to the documentation.
• My changes generate no new warnings.

[utksh1]

Requesting changes. The idea is useful, but multiple new Docker hardening/Trivy jobs are failing and formatting-hygiene is red. Please make the hardening checks deterministic in CI, fix the failing Trivy/policy gates, remove any line-ending/formatting issues, and keep the tests runnable without requiring local Docker unless they are explicitly skipped.

[utksh1]

Thanks for following up. Clarifying the change request so it is actionable:

Why this is blocked:
Requesting changes. The idea is useful, but multiple new Docker hardening/Trivy jobs are failing and formatting-hygiene is red. Please make the hardening checks deterministic in CI, fix the failing Trivy/policy gates, remove any line-ending/formatting issues, and keep the tests runnable without requiring local Docker unless they are explicitly skipped.

What to do next:

• Fix the specific issues called out above.
• Push the updated branch and make sure the relevant CI checks pass.
• Reply here when ready for re-review.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[Aditi-24-05]

Hey! Fixed the CI issues, bumped trivy-action to v0.36.0 and cleaned up trailing whitespace across the new files. All jobs are green now, feel free to take a look!

[utksh1]

Re-reviewed latest state. CI is now green, but this remains high-blast-radius Docker/CI work. Please make sure Docker-dependent tests are explicitly skipped or isolated when Docker is unavailable, and split policy/Trivy workflow changes from Dockerfile hardening if possible so failures are easier to diagnose and review.

[Aditi-24-05]

Hey! Docker-dependent tests are already guarded via pytest.mark.skipif, requires_docker and requires_trivy markers skip the relevant test classes automatically when Docker or Trivy is unavailable. Will split the trivy workflow changes from the docker one. Any other changes before I start working ?

[utksh1]

Re-reviewed after the latest updates and maintainer cleanup. The Docker/Trivy workflows are split, Docker-dependent checks are isolated in CI, formatting is fixed, the JSON Trivy report artifact is generated before upload, and all CI checks are passing.